In 2023, Samsung engineers unintentionally exposed sensitive information and internal data by using ChatGPT to speed up their work. The tool wasn’t part of an approved workflow, and it wasn’t monitored by IT. What made the Samsung incident concerning was that it wasn’t a breach in the traditional sense; the engineers were authenticated, and the access was legitimate. There was no exploit, malware, or stolen credentials. And yet, trade secrets were leaked.
Security teams have spent years building accurate pictures of who has access to what, but Identity Governance and Administration (IGA) programs, access reviews, and provisioning workflows were designed to govern people, not agents.
Shadow AI, unsanctioned agents operating outside IT visibility, is creating an identity blind spot most enterprises haven’t even begun to understand. It’s easy to think that identity risk starts when access is requested, but shadow AI makes that assumption moot. According to Saviynt's CISO AI Risk Report 2026, 75% of CISOs have already discovered unsanctioned AI tools running in their production environments. The other 25% probably just haven’t looked.
Key Concepts
- Shadow AI agents are creating a major identity security blind spot by operating outside of IT visibility with valid credentials.
- Traditional identity and access management tools can’t detect shadow AI because they only monitor provisioned identities
- Securing shadow AI requires platform-level discovery, continuous visibility, and real-time identity governance controls
How shadow AI enters the enterprise undetected
Shadow AI enters your environment when employees want to be innovative, but are too busy (or too impatient) to wait for IT.
Your analyst needs to automate a customer data workflow, so she creates a Salesforce agent. Your engineer wants to speed up procurement queries, so he spends his weekend building something in Copilot Studio. Your implementation partner configures an Amazon Bedrock agent with access to core systems in order to speed up a project. None of these people is trying to create a security risk. They just want to streamline their work.
But every one of those agents now sits in your environment with credentials and access to data, and none of them went through a centralized provisioning, access review, or registration process
And the agents are only part of the problem. Enterprises are also moving data from applications where access has been governed for years—SAP, Oracle, Workday—into data warehouses like Snowflake and Databricks. The access permissions that existed in those source systems don't follow the data. So now you have shadow agents querying data stores where permissions were never defined in the first place.
Why is shadow AI harder to detect than shadow IT?
Shadow IT is a real risk, but it leaves a trail. Someone buys a SaaS tool, expenses it, and IT eventually catches it in a spend audit or a DNS log. The tools are unauthorized, but they are still assets. They are products with vendor names, billing records, and network signatures that security teams can trace.
Shadow AI agents don't leave that kind of trail. They're created inside platforms your organization already uses—Copilot Studio, Salesforce, Amazon Bedrock—by users with legitimate access. From an identity perspective, an agent with valid permissions looks indistinguishable from an authorized user. It authenticates the same way, queries the same systems, and operates within the same access boundaries. There's no rogue tool to flag or unfamiliar vendor to investigate.
What’s the real risk of Shadow AI?
Shadow AI agents carry more access than most teams realize, and that access compounds over time. A developer building an agent on a low-code platform grants it broad permissions so they can move fast. There's no deployment review or handoff to ops. Six months later, the agent still has its connections and access to systems it was never meant to touch long-term.
Unlike provisioned identities, where just-in-time access controls can limit exposure, shadow agents carry standing permissions indefinitely, with no re-certification cycle to catch them.
What’s more, these agents often don't operate in isolation. They frequently connect to Non-Human Identities (NHIs), like service accounts and API keys, and chain to other agents through Agent-to-Agent (A2A) protocols. A single shadow agent can sit at the center of a web of connections spanning multiple systems, and none of those connections are visible in your governance tools.
The A2A risk is more concrete than it sounds. Consider something as routine as an employee using an agent to purchase a ticket. That agent might hand off to a travel booking agent, which calls a payment agent, which queries an expense system. At every handoff, the original user's identity and access level need to travel with the request, and each agent in the chain needs its own governance. If even one agent in that sequence is unregistered, the entire chain is ungoverned.
And the same identity gap applies to the models themselves. If two employees prompt the same HR system and ask for salary data, they should get different answers based on their access level. But if the LLM integration hasn't inherited the right access controls, they won't. The model doesn't know what you're allowed to see unless someone told it. And for shadow deployments, nobody did.
The shadow AI blind spot most enterprises are carrying
The gap between how many AI agents an organization thinks it has and how many actually exist is wide. Every agent you don't know about is access you can't assess, risk you can't scope, and an identity no one is accountable for.
This isn’t only a security problem. Anyone focused on AI adoption knows their teams are moving fast. They need to own the access governance question with the same urgency they bring to agent functionality. Access management is the foundation of productionizing AI. If it’s weak, the house won’t hold, no matter how impressive the model is.
What's needed is discovery that works at the platform layer. Something that scans the environments where agents actually live—including agent platforms, MCP servers, underlying LLMs, and the enterprise applications they've been granted access to—and surfaces every agent regardless of how it was created.
If you can’t name every AI agent in your environment, you don’t know who, or what, has access.
Your next read: You Can’t Secure What You Can’t See – Posture Management for AI Agents.
¹https://mashable.com/article/samsung-chatgpt-leak-details
Back to Blog
.png)
.png)
